Fun with Wireshark and SMTP

1. What is Ann’s email address?
2. What is Ann’s email password?
3. What is Ann’s secret lover’s email address?
4. What two items did Ann tell her secret lover to bring?
5. What is the NAME of the attachment Ann sent to her secret lover?
6. What is the MD5sum of the attachment Ann sent to her secret lover?
7. In what CITY and COUNTRY is their rendez-vous point?
8. What is the MD5sum of the image embedded in the document?

Opening up the pcap file with Wireshark, it’s obvious that Ann is using unencrypted SMTP. If we follow the TCP stream, we see the following:

Commands sent from Ann are in red, responses from the server are in blue. We can see that Ann sent an AUTH LOGIN command to the server, followed by some text that is not human readable. Reading up on the AUTH LOGIN command, we can see that the username and password aren’t actually encrypted, just encoded using base64. Decoding them reveals that Ann’s username is sneakyg33k@aol.com with a password of 558r00lz.

The recipient of the email can be determined by looking at the RCPT TO field, which is also in plain text (sec558@gmail.com). In addition, we can see the first part of this multi-part message:

To see the second part of this multipart message, I just incremented the tcp.stream from 2 to 3, which gives us the answers to questions 4 and 5:
Now we need to somehow extract this message from the email. The approach we used for challenge #1 should work here: save the stream to disk, remove the parts we don’t actually need, and try to open the attachment.

Step 1 is the same as it was in challenge 1: save the stream to disk. Next, we need to remove all the data that isn’t actually part of the attachment. I did this manually through vim, although I’m sure there’s a better way. Next, I whipped up a little python script that: